Botnets: Beware the ‘army of darkness’

By Dennis Carter, Assistant Editor, eSchool News

June 16th, 2008

Cyber criminals are looking for holes in your school systems’ networks so they can seize control of computers to launch attacks anonymously, experts say–distributing spam, viruses, or "Trojan Horse" assaults while often avoiding prosecution. The problem has grown so pervasive that computer-security experts have taken to referring to botnets as the "army of darkness"–and education institutions are this army’s targets of opportunity.

Craig Schiller, the chief information security officer at Portland State University who is widely considered a leading authority on "botnets," or collections of computers under a hacker’s control, said school officials’ desire to keep computer networks open to all students and faculty leaves an opening for cyber criminals looking for networks without tight security measures.

"The general environment on a university campus is for open access, which usually means not a whole lot of protection," Schiller said, adding that schools and universities with massive hard-drive space are especially vulnerable, because that trait is desirable to botnet hackers.

Botnets are a growing problem for CIOs worldwide–and even federal authorities have gotten involved. Addressing the problem, Schiller said, starts with alerting schools’ tech chiefs to the prevalence of botnets, which–in some cases–can shut down an entire computer network.

"The bad guys’ side is heavily involved in [botnets], but we find people on the other side who are still not exposed to this [problem]," said Schiller, who gives presentations on the dangers of botnets at technology conferences across the country and penned the book Botnets: The Killer Web Applications in April 2007.

Last November, a University of Pennsylvania junior was charged in an ongoing investigation into the use of botnets on college campuses. The botnet attacks caused a university server to crash after four days of nonstop traffic.

The hacker, Owen Thor Walker, 18, who was part of a botnet scheme that infected more than a million computers across the world, pleaded guilty to the crime in April. His sentencing was delayed late last month. Walker is scheduled to be sentenced July 15, according to the courts.

Botnets have attacked businesses–both mom-and-pop shops and multinational corporations alike–and a bevy of web sites in recent years. In his presentation to tech chiefs, Schiller mentions a group of botnets that attacked a dozen gambling web sites in 2004. The botnets essentially held the sites ransom for $10,000 to $50,000 each.

Several technology department heads at the K-12 level interviewed by eSchool News said they had never heard of botnets and were unaware of their potential to harm campus computers.

"It’s a case where you don’t know what you don’t know," Schiller said.

Bob Moore, executive director of IT services for the Blue Valley Union School District in Kansas, said his school system has not encountered any botnet attacks in recent years, but a student computer was once hacked and used to relay spam–a common maneuver of botnets.

"It is one of those issues you have to stay on top of," he said in an eMail message to eSchool News. "As with any security issue, there is no one single thing you can do to protect yourself."

Moore said technology directors should keep a constant eye on their school system’s firewalls, spyware, and server configuration, making sure updates are done properly and "necessary security patches are applied." Moore added that administrative rights should be limited in school district networks, instead of maintaining a completely open, online environment.

Federal prosecutors who find that school computers were used in cyber attacks do not prosecute the school, officials said. Instead, they attempt to track the perpetrator.

Still, Schiller and school technology officials said botnets could devastate school system networks, making computers inoperable in the worst cases. Once a hacker creates a network of botnets in a school, IT managers must spend days or weeks to locate the infected machines, clean them, and bolster security shortcomings throughout their buildings or campus.

"In terms of impact, not only can botnets utilize bandwidth or possibly compromise data security, they can be a huge drain on the time of IT staff, time needed to clean up the messes," Moore said.

If a botnet uses a school computer to distribute thousands of spam eMail messages through the school system’s domain, "others’ spam filters may begin to block messages from your district," Moore said. "Not only would that be inconvenient, but it could cause public relations problems."

Although there will never be a cure-all for botnets, Schiller said a host of protections exist that schools can employ. At colleges and universities, where large servers are required for an enormous amount of financial and student information, Schiller said tech chiefs should isolate those servers from the rest of the campus, creating an obstacle for botnets roaming university networks.

Programs that show which computers have been contacted by botnets could also give technology chiefs the upper hand, he said. Conducting online searches for your school’s name and a common spam subject such as "Viagra" could give schools the heads-up if spam eMails are being sent from their servers. Schiller also suggests eliminating all generic accounts, which easily can be exploited by hackers looking to create one botnet that eventually could spread to other computers, bogging down networks’ speed and possibly making computers unusable.

Gabor Sziladi, the director of information technology for the Humboldt County School District in Eureka, Calif., said his school system has not detected any signs of botnets in recent years, but it remains a concern among administrators.

Sziladi said he disagrees that school districts’ openness makes them targets for botnets. He said botnet attacks are avoidable if schools’ technology chiefs are willing to segregate teacher computers from student computers, making it more difficult for botnets to affect an entire school, campus, or district.

When Portland State University detected a massive botnet attack a few years ago, Schiller said technology department officials took several steps to find the 300 infected computers and prevent future attacks. Officials created a program that searches for "bot-like" behavior across the university’s networks, including password guessing and massive eMail blasts sent out in rapid succession. But even weeding out botnets won’t stop hackers from creating more sophisticated, "more malicious" botnet strategies, Schiller said.

"You’ll have lots of really good bullets, but you won’t have one that will take it all out," he said. "The [attacks] from two years ago are much different than the ones we’re seeing now."

As botnets become a lucrative business–one spammer earned $3 million a month, according to Schiller–organized criminals are providing resources to supplement these crimes and turn an even larger profit.

"Remember, these aren’t the hackers from the 90s," Schiller said. "These hackers are being paid by organized crime not to be seen."

# # # #

LEARN MORE ABOUT THE BOTNET PHENOMENON

For more information on the phenomenon of botnets in and outside of education, here is a selection of links you might find useful (Note: These resources are not under the purview of eSchool News):

Don’t forget to visit the Safeguarding School Data resource center. It seems like you can’t go a whole week lately without hearing about some major data security breach that has made national headlines. For businesses, these data leaks are bad enough–but for schools, they can be especially costly, as network security breaches can put schools in violation of several federal laws intended to protect students’ privacy. Go to: Safeguarding School Data